<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article10_02_06_1933211</id>
	<title>Web App Scanners Miss Half of Vulnerabilities</title>
	<author>kdawson</author>
	<datestamp>1265446620000</datestamp>
	<htmltext>seek3r sends news of a recent test of six web application security scanning products, in which the scanners <a href="http://ha.ckers.org/blog/20100203/accuracy-and-time-costs-of-web-application-security-scanner-report/">missed an average of 49\% of the vulnerabilities</a> known to be on the test sites. Here is a <a href="http://ha.ckers.org/files/Accuracy\_and\_Time\_Costs\_of\_Web\_App\_Scanners.pdf">PDF of the report</a>. The irony is that the test pitted each scanner against the public test files of all the scanners. This reader adds, "Is it any wonder that being PCI compliant is meaningless from a security point of view? You can perform a Web app scan, check the box on your PCI audit, and still have the security posture of Swiss cheese on your Web app!" <i>"NTOSpider found over twice as many vulnerabilities as the average competitor having a 94\% accuracy rating, with Hailstorm having the second best rating of 62\%, but only after extensive training by an expert. Appscan had the second best 'Point and Shoot' rating of 55\% and the rest averaged 39\%."</i></htmltext>
<tokenext>seek3r sends news of a recent test of six web application security scanning products , in which the scanners missed an average of 49 \ % of the vulnerabilities known to be on the test sites .
Here is a PDF of the report .
The irony is that the test pitted each scanner against the public test files of all the scanners .
This reader adds , " Is it any wonder that being PCI compliant is meaningless from a security point of view ?
You can perform a Web app scan , check the box on your PCI audit , and still have the security posture of Swiss cheese on your Web app !
" " NTOSpider found over twice as many vulnerabilities as the average competitor having a 94 \ % accuracy rating , with Hailstorm having the second best rating of 62 \ % , but only after extensive training by an expert .
Appscan had the second best 'Point and Shoot ' rating of 55 \ % and the rest averaged 39 \ % .
"</tokentext>
<sentencetext>seek3r sends news of a recent test of six web application security scanning products, in which the scanners missed an average of 49\% of the vulnerabilities known to be on the test sites.
Here is a PDF of the report.
The irony is that the test pitted each scanner against the public test files of all the scanners.
This reader adds, "Is it any wonder that being PCI compliant is meaningless from a security point of view?
You can perform a Web app scan, check the box on your PCI audit, and still have the security posture of Swiss cheese on your Web app!
" "NTOSpider found over twice as many vulnerabilities as the average competitor having a 94\% accuracy rating, with Hailstorm having the second best rating of 62\%, but only after extensive training by an expert.
Appscan had the second best 'Point and Shoot' rating of 55\% and the rest averaged 39\%.
"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048056</id>
	<title>PCI compliant is meaningless?</title>
	<author>CVD1979</author>
	<datestamp>1265452380000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>"Is it any wonder that being PCI compliant is meaningless from a security point of view?"</p><p>Where's that quote from? I can't find it on either the page or in the PDF...</p></div>
	</htmltext>
<tokenext>" Is it any wonder that being PCI compliant is meaningless from a security point of view ?
" Where 's that quote from ?
I ca n't find it on either the page or in the PDF.. .</tokentext>
<sentencetext>"Is it any wonder that being PCI compliant is meaningless from a security point of view?
"Where's that quote from?
I can't find it on either the page or in the PDF...
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048342</id>
	<title>Did everyone miss they tested against NTO site?</title>
	<author>Anonymous</author>
	<datestamp>1265455260000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Did everyone miss the statement they made</p><p>they were testing against NTO's own website.</p><p>omfg, every other scanner performed poorly against a specially-constructed site<br>that was put together by the "winner" in the results!</p><p>wow.. that's amazing that their own product performed best. who woulda thunk it!</p><p>and later in the news: water is wet!!<nobr> <wbr></nobr>/s</p></htmltext>
<tokenext>Did everyone miss the statement they madethey were testing against NTO 's own website.omfg , every other scanner performed poorly against a specially-constructed sitethat was put together by the " winner " in the results ! wow.. that 's amazing that their own product performed best .
who woulda thunk it ! and later in the news : water is wet ! !
/s</tokentext>
<sentencetext>Did everyone miss the statement they madethey were testing against NTO's own website.omfg, every other scanner performed poorly against a specially-constructed sitethat was put together by the "winner" in the results!wow.. that's amazing that their own product performed best.
who woulda thunk it!and later in the news: water is wet!!
/s</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31049804</id>
	<title>Re:"Hold still while we scan you"</title>
	<author>DavidTC</author>
	<datestamp>1265470560000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Well, I can sorta see their point in saying 'You have to give us the permissions of the least restrictive IP you have'.</p><p>
But it's actually still dumb. The only IPs in my firewalls (Besides the mail server which has temp blocks for spammers) are the IPs of my other servers, so I can restrict specific things to them.</p><p>
The only two that I can think of are access to the mysql port (So other servers can use a database), and access to a special mail submission port without any other security on it. (So my web servers can easily send email. I used to this via postfix checking IPs, and then I figured, why even let the wrong IP connect?)</p><p>
Granted, there is a <b>possible</b> security issue there, but these protected services are either still password protected, like the mysql one, or not actually huge risks, like the mail server. (I wouldn't want to be spewing spam, but it's hardly going to result in someone stealing customer CC numbers.)</p><p>
I firewall those simply because I don't think it's good to expose unneeded services to the internet, but they're hardly insecure.</p><p>
But if I were in charge of security, and I had, for some reason or another, needed to run an vulnerable service and protect it behind a firewall except for a few IPs, I don't think that's a particularly large problem. Need to make sure everyone who can mess with the firewall <b>knows</b> that port must always be firewalled, but that's about it.</p><p>
I wonder how they deal with Windows machines, which essentially <b>always</b> have insecure ports, and just have a firewall in front of them.</p></htmltext>
<tokenext>Well , I can sorta see their point in saying 'You have to give us the permissions of the least restrictive IP you have' .
But it 's actually still dumb .
The only IPs in my firewalls ( Besides the mail server which has temp blocks for spammers ) are the IPs of my other servers , so I can restrict specific things to them .
The only two that I can think of are access to the mysql port ( So other servers can use a database ) , and access to a special mail submission port without any other security on it .
( So my web servers can easily send email .
I used to this via postfix checking IPs , and then I figured , why even let the wrong IP connect ?
) Granted , there is a possible security issue there , but these protected services are either still password protected , like the mysql one , or not actually huge risks , like the mail server .
( I would n't want to be spewing spam , but it 's hardly going to result in someone stealing customer CC numbers .
) I firewall those simply because I do n't think it 's good to expose unneeded services to the internet , but they 're hardly insecure .
But if I were in charge of security , and I had , for some reason or another , needed to run an vulnerable service and protect it behind a firewall except for a few IPs , I do n't think that 's a particularly large problem .
Need to make sure everyone who can mess with the firewall knows that port must always be firewalled , but that 's about it .
I wonder how they deal with Windows machines , which essentially always have insecure ports , and just have a firewall in front of them .</tokentext>
<sentencetext>Well, I can sorta see their point in saying 'You have to give us the permissions of the least restrictive IP you have'.
But it's actually still dumb.
The only IPs in my firewalls (Besides the mail server which has temp blocks for spammers) are the IPs of my other servers, so I can restrict specific things to them.
The only two that I can think of are access to the mysql port (So other servers can use a database), and access to a special mail submission port without any other security on it.
(So my web servers can easily send email.
I used to this via postfix checking IPs, and then I figured, why even let the wrong IP connect?
)
Granted, there is a possible security issue there, but these protected services are either still password protected, like the mysql one, or not actually huge risks, like the mail server.
(I wouldn't want to be spewing spam, but it's hardly going to result in someone stealing customer CC numbers.
)
I firewall those simply because I don't think it's good to expose unneeded services to the internet, but they're hardly insecure.
But if I were in charge of security, and I had, for some reason or another, needed to run an vulnerable service and protect it behind a firewall except for a few IPs, I don't think that's a particularly large problem.
Need to make sure everyone who can mess with the firewall knows that port must always be firewalled, but that's about it.
I wonder how they deal with Windows machines, which essentially always have insecure ports, and just have a firewall in front of them.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048722</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31049830</id>
	<title>Re:"Hold still while we scan you"</title>
	<author>Anonymous</author>
	<datestamp>1265471100000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>It's not as dumb as you may think. Security is based on a layered approach. If your firewall was down for some reason then the next layer of "security" would be your web app security. So that has to be secured as well. As long as in their report they point out explicitly that they could not bypass the first layer of security then you should be fine with that. By your logic if I had a big iron gate and a massive fence all around my property then I wouldn't need locks on my windows or doors!</p></htmltext>
<tokenext>It 's not as dumb as you may think .
Security is based on a layered approach .
If your firewall was down for some reason then the next layer of " security " would be your web app security .
So that has to be secured as well .
As long as in their report they point out explicitly that they could not bypass the first layer of security then you should be fine with that .
By your logic if I had a big iron gate and a massive fence all around my property then I would n't need locks on my windows or doors !</tokentext>
<sentencetext>It's not as dumb as you may think.
Security is based on a layered approach.
If your firewall was down for some reason then the next layer of "security" would be your web app security.
So that has to be secured as well.
As long as in their report they point out explicitly that they could not bypass the first layer of security then you should be fine with that.
By your logic if I had a big iron gate and a massive fence all around my property then I wouldn't need locks on my windows or doors!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048722</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048092</id>
	<title>Re:The cat and mouse game.</title>
	<author>ls671</author>
	<datestamp>1265452680000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>&gt; If your website has only 1 vulnerability and no scanner detects, score 1 for the bad guys.</p><p>except that the "bad guys" mostly use scanners to discover holes<nobr> <wbr></nobr>;-))</p><p>So interestingly enough,  holes detectable with scanners are more exploited.</p></htmltext>
<tokenext>&gt; If your website has only 1 vulnerability and no scanner detects , score 1 for the bad guys.except that the " bad guys " mostly use scanners to discover holes ; - ) ) So interestingly enough , holes detectable with scanners are more exploited .</tokentext>
<sentencetext>&gt; If your website has only 1 vulnerability and no scanner detects, score 1 for the bad guys.except that the "bad guys" mostly use scanners to discover holes ;-))So interestingly enough,  holes detectable with scanners are more exploited.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047996</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048166</id>
	<title>Re:The cat and mouse game.</title>
	<author>JWSmythe</author>
	<datestamp>1265453520000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>3</modscore>
	<htmltext><p>
&nbsp; &nbsp; From what I recall doing this for sites that handled credit card processing (me being in the tested side), those tests are pretty much worthless.</p><p>
&nbsp; &nbsp; If you had 1 vulnerability, you'd get pages of false positives or irrelevant information.  I recall a particular 10 page report we got back that we were advised to fix or we'd fail on.  The only item to fix was the version of the web server was just one behind current.  The changelog indicated that it was to fix a vulnerability on a different platform, so it was completely unrelated to us.  We'd frequently have points marked off because we couldn't be pinged or portscanned.  I'd have to open the firewall up to them, just to be scanned.  Our security would identify an attempted port scan as a hostile action, and react by dropping all traffic from them. Sorry my security stopped your scanning, but that's the intention of it. {sigh}</p><p>
&nbsp; &nbsp; After opening the firewall to them, and changing the version number on the web server (there were reasons we couldn't do the trivial upgrade), we passed with flying colors.</p><p>
&nbsp; &nbsp; For them, they were interested in the version numbers handed off by the server, not what they actually were.  For example, if it was Apache, we could have it report Apache version 9.9.9, and that would have made us pass on that part without fail for years.</p></htmltext>
<tokenext>    From what I recall doing this for sites that handled credit card processing ( me being in the tested side ) , those tests are pretty much worthless .
    If you had 1 vulnerability , you 'd get pages of false positives or irrelevant information .
I recall a particular 10 page report we got back that we were advised to fix or we 'd fail on .
The only item to fix was the version of the web server was just one behind current .
The changelog indicated that it was to fix a vulnerability on a different platform , so it was completely unrelated to us .
We 'd frequently have points marked off because we could n't be pinged or portscanned .
I 'd have to open the firewall up to them , just to be scanned .
Our security would identify an attempted port scan as a hostile action , and react by dropping all traffic from them .
Sorry my security stopped your scanning , but that 's the intention of it .
{ sigh }     After opening the firewall to them , and changing the version number on the web server ( there were reasons we could n't do the trivial upgrade ) , we passed with flying colors .
    For them , they were interested in the version numbers handed off by the server , not what they actually were .
For example , if it was Apache , we could have it report Apache version 9.9.9 , and that would have made us pass on that part without fail for years .</tokentext>
<sentencetext>
    From what I recall doing this for sites that handled credit card processing (me being in the tested side), those tests are pretty much worthless.
    If you had 1 vulnerability, you'd get pages of false positives or irrelevant information.
I recall a particular 10 page report we got back that we were advised to fix or we'd fail on.
The only item to fix was the version of the web server was just one behind current.
The changelog indicated that it was to fix a vulnerability on a different platform, so it was completely unrelated to us.
We'd frequently have points marked off because we couldn't be pinged or portscanned.
I'd have to open the firewall up to them, just to be scanned.
Our security would identify an attempted port scan as a hostile action, and react by dropping all traffic from them.
Sorry my security stopped your scanning, but that's the intention of it.
{sigh}
    After opening the firewall to them, and changing the version number on the web server (there were reasons we couldn't do the trivial upgrade), we passed with flying colors.
    For them, they were interested in the version numbers handed off by the server, not what they actually were.
For example, if it was Apache, we could have it report Apache version 9.9.9, and that would have made us pass on that part without fail for years.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047996</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31051940</id>
	<title>being PCI compliant is meaningless</title>
	<author>viralMeme</author>
	<datestamp>1265551920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>&gt; being PCI compliant is meaningless from a security point of view? You can perform a Web app scan, check the box on your PCI audit, and still have the security posture of Swiss cheese on your Web app!"</p><p>Print this out and stick it on the wall, for the next time your PHB starts waffling on about compliance<nobr> <wbr></nobr>..<nobr> <wbr></nobr>:)</p></htmltext>
<tokenext>&gt; being PCI compliant is meaningless from a security point of view ?
You can perform a Web app scan , check the box on your PCI audit , and still have the security posture of Swiss cheese on your Web app !
" Print this out and stick it on the wall , for the next time your PHB starts waffling on about compliance .. : )</tokentext>
<sentencetext>&gt; being PCI compliant is meaningless from a security point of view?
You can perform a Web app scan, check the box on your PCI audit, and still have the security posture of Swiss cheese on your Web app!
"Print this out and stick it on the wall, for the next time your PHB starts waffling on about compliance .. :)</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31050400</id>
	<title>Re:PCI Still Important</title>
	<author>Anonymous</author>
	<datestamp>1265478300000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>1</modscore>
	<htmltext><p>Scanning vendors are quite good at discovering non-issues such as the availability of "weak" SSL ciphers and known problems in technology stacks.  They are unfortunately useless when it comes to discovery of application level security problems.</p><p>Its all just a big scam where people pay lots of money to companies who mis-represent actual PCI compliance requirements, hit their servers with Nessus and print out a security audit pass certificate the company can hang on their wall.  Its about as useful and seedy as the SSL market has become in recent years.</p><p>Look at the nonsense in the PCI-DSS and you'll see that it was written by individuals without strong security backgrounds.</p><p>For example they explicitly suggest the use of "secure" one way hash algorithms for storage of card data.  It doesn't matter how good a fricking hash algorithim is when the entropy of the entire possible card space is less than 10 trillion!!</p><p>They provide password complexity guidelines including changing passwords often.  In practice we see all the time that all this does is increase the chances of people writing them on sticky notes and pasting them to their monitors.</p><p>Finally we have the omnipresent virus scanning and firewall checklists. These systems do nothing to protect the application and are incapable of providing security guarantees but MGMT loves them because they get to tick off the firewall and virus checkboxes and then its just off to continue behaving stupidly as ususal with sensitive information.</p><p>Its better than nothing but it really needs to be reviewed by a disinterested third party with a real security background.</p></htmltext>
<tokenext>Scanning vendors are quite good at discovering non-issues such as the availability of " weak " SSL ciphers and known problems in technology stacks .
They are unfortunately useless when it comes to discovery of application level security problems.Its all just a big scam where people pay lots of money to companies who mis-represent actual PCI compliance requirements , hit their servers with Nessus and print out a security audit pass certificate the company can hang on their wall .
Its about as useful and seedy as the SSL market has become in recent years.Look at the nonsense in the PCI-DSS and you 'll see that it was written by individuals without strong security backgrounds.For example they explicitly suggest the use of " secure " one way hash algorithms for storage of card data .
It does n't matter how good a fricking hash algorithim is when the entropy of the entire possible card space is less than 10 trillion !
! They provide password complexity guidelines including changing passwords often .
In practice we see all the time that all this does is increase the chances of people writing them on sticky notes and pasting them to their monitors.Finally we have the omnipresent virus scanning and firewall checklists .
These systems do nothing to protect the application and are incapable of providing security guarantees but MGMT loves them because they get to tick off the firewall and virus checkboxes and then its just off to continue behaving stupidly as ususal with sensitive information.Its better than nothing but it really needs to be reviewed by a disinterested third party with a real security background .</tokentext>
<sentencetext>Scanning vendors are quite good at discovering non-issues such as the availability of "weak" SSL ciphers and known problems in technology stacks.
They are unfortunately useless when it comes to discovery of application level security problems.Its all just a big scam where people pay lots of money to companies who mis-represent actual PCI compliance requirements, hit their servers with Nessus and print out a security audit pass certificate the company can hang on their wall.
Its about as useful and seedy as the SSL market has become in recent years.Look at the nonsense in the PCI-DSS and you'll see that it was written by individuals without strong security backgrounds.For example they explicitly suggest the use of "secure" one way hash algorithms for storage of card data.
It doesn't matter how good a fricking hash algorithim is when the entropy of the entire possible card space is less than 10 trillion!
!They provide password complexity guidelines including changing passwords often.
In practice we see all the time that all this does is increase the chances of people writing them on sticky notes and pasting them to their monitors.Finally we have the omnipresent virus scanning and firewall checklists.
These systems do nothing to protect the application and are incapable of providing security guarantees but MGMT loves them because they get to tick off the firewall and virus checkboxes and then its just off to continue behaving stupidly as ususal with sensitive information.Its better than nothing but it really needs to be reviewed by a disinterested third party with a real security background.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048060</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048064</id>
	<title>scanners == scammers</title>
	<author>sohp</author>
	<datestamp>1265452440000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>A vendor will sell you, or often give you a free trial of, their vulnerability scanning tool. They will then turn right around and sell you a tool that is supposed to fix those problems.  Does anyone else see a problem with that? One reason I prefer the FOSS tools going back to Nmap and SATAN is that they do what real intruders try to do, not what some marketing department wants them to do as a way to scare you into buying stuff.</p></htmltext>
<tokenext>A vendor will sell you , or often give you a free trial of , their vulnerability scanning tool .
They will then turn right around and sell you a tool that is supposed to fix those problems .
Does anyone else see a problem with that ?
One reason I prefer the FOSS tools going back to Nmap and SATAN is that they do what real intruders try to do , not what some marketing department wants them to do as a way to scare you into buying stuff .</tokentext>
<sentencetext>A vendor will sell you, or often give you a free trial of, their vulnerability scanning tool.
They will then turn right around and sell you a tool that is supposed to fix those problems.
Does anyone else see a problem with that?
One reason I prefer the FOSS tools going back to Nmap and SATAN is that they do what real intruders try to do, not what some marketing department wants them to do as a way to scare you into buying stuff.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048026</id>
	<title>Whitehat Security</title>
	<author>MandoSKippy</author>
	<datestamp>1265452140000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I noticed Whitehat Security Declined to participate. I wonder why that is?  We just purchased there service, I like there concept, especially as they sold it, we haven't gotten into full use of the product yet, but I can tell you some of the execution of there service could be improved.  There seems to be a little bit of a disconnect between the sales force and the operations team.  I would have been very interested to see how they fare in a test like this.</htmltext>
<tokenext>I noticed Whitehat Security Declined to participate .
I wonder why that is ?
We just purchased there service , I like there concept , especially as they sold it , we have n't gotten into full use of the product yet , but I can tell you some of the execution of there service could be improved .
There seems to be a little bit of a disconnect between the sales force and the operations team .
I would have been very interested to see how they fare in a test like this .</tokentext>
<sentencetext>I noticed Whitehat Security Declined to participate.
I wonder why that is?
We just purchased there service, I like there concept, especially as they sold it, we haven't gotten into full use of the product yet, but I can tell you some of the execution of there service could be improved.
There seems to be a little bit of a disconnect between the sales force and the operations team.
I would have been very interested to see how they fare in a test like this.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048302</id>
	<title>Re:The cat and mouse game.</title>
	<author>ircmaxell</author>
	<datestamp>1265454840000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext>To tell you the truth, the percentage of actual vulnerabilities that it finds mean nothing to me.  What matters to me is the rate of false positives.  Even better would be the number of actual vulnerabilities found divided by the number of false issues found.  <br> <br>
I had a chance to see the outputs of a few of these scanners run against a particular open source content management system.  Not one of them found an actual, confirmable vulnerability.  But one found over 9,000 false positives.  All found a fair number of false positives.  Even if could find real vulnerabilities, digging though all those false positives to find a real one is a really daunting task.  <br> <br>
What I find works better than these scanners is hand audits by someone who knows what they are looking for.  It's most definitely an intensive task, but let me ask you.  What's more a better use of time, an expert doing a hand audit who may find vulnerabilities that the scanner didn't), or the expert digging through all 9000 of those "results" trying to figure which, if any, are real?  I assert that the best use is going to be a combination of the two.  Just don't put your faith in either one...</htmltext>
<tokenext>To tell you the truth , the percentage of actual vulnerabilities that it finds mean nothing to me .
What matters to me is the rate of false positives .
Even better would be the number of actual vulnerabilities found divided by the number of false issues found .
I had a chance to see the outputs of a few of these scanners run against a particular open source content management system .
Not one of them found an actual , confirmable vulnerability .
But one found over 9,000 false positives .
All found a fair number of false positives .
Even if could find real vulnerabilities , digging though all those false positives to find a real one is a really daunting task .
What I find works better than these scanners is hand audits by someone who knows what they are looking for .
It 's most definitely an intensive task , but let me ask you .
What 's more a better use of time , an expert doing a hand audit who may find vulnerabilities that the scanner did n't ) , or the expert digging through all 9000 of those " results " trying to figure which , if any , are real ?
I assert that the best use is going to be a combination of the two .
Just do n't put your faith in either one.. .</tokentext>
<sentencetext>To tell you the truth, the percentage of actual vulnerabilities that it finds mean nothing to me.
What matters to me is the rate of false positives.
Even better would be the number of actual vulnerabilities found divided by the number of false issues found.
I had a chance to see the outputs of a few of these scanners run against a particular open source content management system.
Not one of them found an actual, confirmable vulnerability.
But one found over 9,000 false positives.
All found a fair number of false positives.
Even if could find real vulnerabilities, digging though all those false positives to find a real one is a really daunting task.
What I find works better than these scanners is hand audits by someone who knows what they are looking for.
It's most definitely an intensive task, but let me ask you.
What's more a better use of time, an expert doing a hand audit who may find vulnerabilities that the scanner didn't), or the expert digging through all 9000 of those "results" trying to figure which, if any, are real?
I assert that the best use is going to be a combination of the two.
Just don't put your faith in either one...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047996</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31054832</id>
	<title>Re:"Hold still while we scan you"</title>
	<author>Anonymous</author>
	<datestamp>1265537400000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>Would that be Trustwave, by any chance?</htmltext>
<tokenext>Would that be Trustwave , by any chance ?</tokentext>
<sentencetext>Would that be Trustwave, by any chance?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048722</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31049004</id>
	<title>Re:Whitehat Security</title>
	<author>icepick72</author>
	<datestamp>1265461440000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>"their", "Their", "THEIR"!<br>Sorry, my annoyance level kept rising each time I saw it. Had to scream it in CAPS.</p></htmltext>
<tokenext>" their " , " Their " , " THEIR " ! Sorry , my annoyance level kept rising each time I saw it .
Had to scream it in CAPS .</tokentext>
<sentencetext>"their", "Their", "THEIR"!Sorry, my annoyance level kept rising each time I saw it.
Had to scream it in CAPS.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048026</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048722</id>
	<title>"Hold still while we scan you"</title>
	<author>Anonymous</author>
	<datestamp>1265458800000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>My favorite from a past employer - one of these PCI scanning companies asked us to take down our iptables rules for a set time period while they scanned us. That's right, they wanted us to be less secure while they checked how secure we were.</p><p>We were eventually able to get an ip range from them, but not until we fought them a bit. They *would not* do the scan unless we took down our firewall. I wanted to just REJECT everything but 80 and 443 and not tell them, but the higher-ups told me to play along.</p><p>Anyway - the whole idea felt really<nobr> <wbr></nobr>... wrong. And they didn't point out anything useful, either. </p></htmltext>
<tokenext>My favorite from a past employer - one of these PCI scanning companies asked us to take down our iptables rules for a set time period while they scanned us .
That 's right , they wanted us to be less secure while they checked how secure we were.We were eventually able to get an ip range from them , but not until we fought them a bit .
They * would not * do the scan unless we took down our firewall .
I wanted to just REJECT everything but 80 and 443 and not tell them , but the higher-ups told me to play along.Anyway - the whole idea felt really ... wrong. And they did n't point out anything useful , either .</tokentext>
<sentencetext>My favorite from a past employer - one of these PCI scanning companies asked us to take down our iptables rules for a set time period while they scanned us.
That's right, they wanted us to be less secure while they checked how secure we were.We were eventually able to get an ip range from them, but not until we fought them a bit.
They *would not* do the scan unless we took down our firewall.
I wanted to just REJECT everything but 80 and 443 and not tell them, but the higher-ups told me to play along.Anyway - the whole idea felt really ... wrong. And they didn't point out anything useful, either. </sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047996</id>
	<title>The cat and mouse game.</title>
	<author>nuckfuts</author>
	<datestamp>1265451780000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>No vulnerability scanner will ever detect 100\% of the vulnerabilities possible. They're still very useful, however, because no website is going to <em>have</em> 100\% of all the vulnerabilities possible.</p><p>Think of it another way. If your website has only 1 vulnerability and the scanner detects it, then it's 100\% effective.</p><p>If your website has only 1 vulnerability and no scanner detects, score 1 for the bad guys. The cat and mouse game continues.</p></htmltext>
<tokenext>No vulnerability scanner will ever detect 100 \ % of the vulnerabilities possible .
They 're still very useful , however , because no website is going to have 100 \ % of all the vulnerabilities possible.Think of it another way .
If your website has only 1 vulnerability and the scanner detects it , then it 's 100 \ % effective.If your website has only 1 vulnerability and no scanner detects , score 1 for the bad guys .
The cat and mouse game continues .</tokentext>
<sentencetext>No vulnerability scanner will ever detect 100\% of the vulnerabilities possible.
They're still very useful, however, because no website is going to have 100\% of all the vulnerabilities possible.Think of it another way.
If your website has only 1 vulnerability and the scanner detects it, then it's 100\% effective.If your website has only 1 vulnerability and no scanner detects, score 1 for the bad guys.
The cat and mouse game continues.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048172</id>
	<title>App scanners don't make you secure</title>
	<author>mysidia</author>
	<datestamp>1265453520000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>
Scanners exist because people want scanners, and so people can sell a product labelled "security scanner".
And get a feel-good  (false) sense that everything is secure when the scanner reports no issues.
</p><p>
This idea started with the general idea of <b>vulnerability scanner</b>,  tools designed to scan hosts for open ports, check software versions, and try exploits against known issues.</p><p>
The problem with all of them is they can only detect anticipated vulnerabilities.
</p><p>
Unknown vulnerabilities are not properly detected by scanner, because they cannot be anticipated by software.
</p><p>
Much like Antivirus, they need pattern updates and a re-scan when new issues are discovered.
Sometimes they don't get updated at all -- sometimes new vulnerabilities are discovered, but a test doesn't get created for the scanner.
</p><p>
Sometimes hackers become aware of security vulnerabilities that the maker of the scanner doesn't become aware of.
</p><p>
Sometimes the hacker can analyze the app you are running (which is industry-specific, not common),
and tailor an attack against you, that the scanner vendor could never anticipate.
</p><p>
So are scanners worth something?  Sure.
But usually not nearly as much as the software vendor bills for them -- they are more fallible than even virus scanners  (at least viruses, and malware are finite in number, even if a very large number ---  there are more potential security vulnerabilities than one could possibly imagine).
</p></htmltext>
<tokenext>Scanners exist because people want scanners , and so people can sell a product labelled " security scanner " .
And get a feel-good ( false ) sense that everything is secure when the scanner reports no issues .
This idea started with the general idea of vulnerability scanner , tools designed to scan hosts for open ports , check software versions , and try exploits against known issues .
The problem with all of them is they can only detect anticipated vulnerabilities .
Unknown vulnerabilities are not properly detected by scanner , because they can not be anticipated by software .
Much like Antivirus , they need pattern updates and a re-scan when new issues are discovered .
Sometimes they do n't get updated at all -- sometimes new vulnerabilities are discovered , but a test does n't get created for the scanner .
Sometimes hackers become aware of security vulnerabilities that the maker of the scanner does n't become aware of .
Sometimes the hacker can analyze the app you are running ( which is industry-specific , not common ) , and tailor an attack against you , that the scanner vendor could never anticipate .
So are scanners worth something ?
Sure . But usually not nearly as much as the software vendor bills for them -- they are more fallible than even virus scanners ( at least viruses , and malware are finite in number , even if a very large number --- there are more potential security vulnerabilities than one could possibly imagine ) .</tokentext>
<sentencetext>
Scanners exist because people want scanners, and so people can sell a product labelled "security scanner".
And get a feel-good  (false) sense that everything is secure when the scanner reports no issues.
This idea started with the general idea of vulnerability scanner,  tools designed to scan hosts for open ports, check software versions, and try exploits against known issues.
The problem with all of them is they can only detect anticipated vulnerabilities.
Unknown vulnerabilities are not properly detected by scanner, because they cannot be anticipated by software.
Much like Antivirus, they need pattern updates and a re-scan when new issues are discovered.
Sometimes they don't get updated at all -- sometimes new vulnerabilities are discovered, but a test doesn't get created for the scanner.
Sometimes hackers become aware of security vulnerabilities that the maker of the scanner doesn't become aware of.
Sometimes the hacker can analyze the app you are running (which is industry-specific, not common),
and tailor an attack against you, that the scanner vendor could never anticipate.
So are scanners worth something?
Sure.
But usually not nearly as much as the software vendor bills for them -- they are more fallible than even virus scanners  (at least viruses, and malware are finite in number, even if a very large number ---  there are more potential security vulnerabilities than one could possibly imagine).
</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048478</id>
	<title>What is it about again?</title>
	<author>dvh.tosomja</author>
	<datestamp>1265456460000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I read TFA because summary does not make sense only to find out that TFA does not make sense.</p></htmltext>
<tokenext>I read TFA because summary does not make sense only to find out that TFA does not make sense .</tokentext>
<sentencetext>I read TFA because summary does not make sense only to find out that TFA does not make sense.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048234</id>
	<title>Simple fix: double the reported value</title>
	<author>noidentity</author>
	<datestamp>1265454360000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext>If these scanners report only half the vulnerabilities, they just need to double the reported number. Simple fix, really.</htmltext>
<tokenext>If these scanners report only half the vulnerabilities , they just need to double the reported number .
Simple fix , really .</tokentext>
<sentencetext>If these scanners report only half the vulnerabilities, they just need to double the reported number.
Simple fix, really.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048098</id>
	<title>missed the point</title>
	<author>Lord Ender</author>
	<datestamp>1265452740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>This guy is trying to hype his own findings a bit too much. Removing half of the vulnerabilities is actually really good! If you happen to remove the vulnerability that some mass-defacement takes advantage of, you really did ad a lot of value by using the imperfect scanning tool.</p><p>One of the most common and least helpful fallacies about security is that something is either secure or it is not. Nothing is 100\% secure. Removing half of the vulnerabilities is a huge improvement over removing none.</p></htmltext>
<tokenext>This guy is trying to hype his own findings a bit too much .
Removing half of the vulnerabilities is actually really good !
If you happen to remove the vulnerability that some mass-defacement takes advantage of , you really did ad a lot of value by using the imperfect scanning tool.One of the most common and least helpful fallacies about security is that something is either secure or it is not .
Nothing is 100 \ % secure .
Removing half of the vulnerabilities is a huge improvement over removing none .</tokentext>
<sentencetext>This guy is trying to hype his own findings a bit too much.
Removing half of the vulnerabilities is actually really good!
If you happen to remove the vulnerability that some mass-defacement takes advantage of, you really did ad a lot of value by using the imperfect scanning tool.One of the most common and least helpful fallacies about security is that something is either secure or it is not.
Nothing is 100\% secure.
Removing half of the vulnerabilities is a huge improvement over removing none.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048060</id>
	<title>PCI Still Important</title>
	<author>savanik</author>
	<datestamp>1265452440000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><p>The key message here is that simply testing your web site with a vulnerability scanner doesn't make it secure. Well, duh.</p><p>PCI is still important because before the guidelines, most people weren't scanning their web sites <b>at all</b>. Even when they knew how - they couldn't convince management it was worth the trouble, time, dollars, and so on. And without scans, the number of discovered web vulnerabilities approaches 0\%.</p><p>PCI isn't just about scanning your website, either. There's hundreds of things you have to do to secure everything from the physical layer up to the application layer. And having PCI be required to process credit cards makes everything much more secure. I'm talking about small businesses so cheap they don't want to put LOCKS on the doors between the outside world and the servers holding your plain-text, unencrypted credit card numbers, and who don't have the expertise to set up a web camera on their own building.</p><p>You might not like PCI, it might be inconvenient, but it's necessary to protect the general public.</p><p>Disclaimer: I am an information security professional.</p></htmltext>
<tokenext>The key message here is that simply testing your web site with a vulnerability scanner does n't make it secure .
Well , duh.PCI is still important because before the guidelines , most people were n't scanning their web sites at all .
Even when they knew how - they could n't convince management it was worth the trouble , time , dollars , and so on .
And without scans , the number of discovered web vulnerabilities approaches 0 \ % .PCI is n't just about scanning your website , either .
There 's hundreds of things you have to do to secure everything from the physical layer up to the application layer .
And having PCI be required to process credit cards makes everything much more secure .
I 'm talking about small businesses so cheap they do n't want to put LOCKS on the doors between the outside world and the servers holding your plain-text , unencrypted credit card numbers , and who do n't have the expertise to set up a web camera on their own building.You might not like PCI , it might be inconvenient , but it 's necessary to protect the general public.Disclaimer : I am an information security professional .</tokentext>
<sentencetext>The key message here is that simply testing your web site with a vulnerability scanner doesn't make it secure.
Well, duh.PCI is still important because before the guidelines, most people weren't scanning their web sites at all.
Even when they knew how - they couldn't convince management it was worth the trouble, time, dollars, and so on.
And without scans, the number of discovered web vulnerabilities approaches 0\%.PCI isn't just about scanning your website, either.
There's hundreds of things you have to do to secure everything from the physical layer up to the application layer.
And having PCI be required to process credit cards makes everything much more secure.
I'm talking about small businesses so cheap they don't want to put LOCKS on the doors between the outside world and the servers holding your plain-text, unencrypted credit card numbers, and who don't have the expertise to set up a web camera on their own building.You might not like PCI, it might be inconvenient, but it's necessary to protect the general public.Disclaimer: I am an information security professional.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048292</id>
	<title>Re:PCI compliant is meaningless?</title>
	<author>maxume</author>
	<datestamp>1265454780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Try a little harder, the attribution is just before it (apparently that is the submitters opinion).</p></htmltext>
<tokenext>Try a little harder , the attribution is just before it ( apparently that is the submitters opinion ) .</tokentext>
<sentencetext>Try a little harder, the attribution is just before it (apparently that is the submitters opinion).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048056</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047880</id>
	<title>Every system is different</title>
	<author>MichaelSmith</author>
	<datestamp>1265450400000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Take buffer overflows for example. You can build a generic tool to create buffer overflows by feeding in long messages but there is no generic way to exploit the overflow, because every system arranges its data differently.</p><p>BTW there is a typo in the summary <i>pitted eah scanner</i></p></htmltext>
<tokenext>Take buffer overflows for example .
You can build a generic tool to create buffer overflows by feeding in long messages but there is no generic way to exploit the overflow , because every system arranges its data differently.BTW there is a typo in the summary pitted eah scanner</tokentext>
<sentencetext>Take buffer overflows for example.
You can build a generic tool to create buffer overflows by feeding in long messages but there is no generic way to exploit the overflow, because every system arranges its data differently.BTW there is a typo in the summary pitted eah scanner</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31051422</id>
	<title>Incorrect title is just FUCKING blanket statement</title>
	<author>Anonymous</author>
	<datestamp>1265542320000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>NTOSpider found over twice as many vulnerabilities as the average competitor having a 94\% accuracy rating.</p><p>Doesn't sound exactly like ALL of them missed 50\% of vulnerabilities. If I hadn't continued reading, I'd have thought that all scanners are useless.</p></htmltext>
<tokenext>NTOSpider found over twice as many vulnerabilities as the average competitor having a 94 \ % accuracy rating.Does n't sound exactly like ALL of them missed 50 \ % of vulnerabilities .
If I had n't continued reading , I 'd have thought that all scanners are useless .</tokentext>
<sentencetext>NTOSpider found over twice as many vulnerabilities as the average competitor having a 94\% accuracy rating.Doesn't sound exactly like ALL of them missed 50\% of vulnerabilities.
If I hadn't continued reading, I'd have thought that all scanners are useless.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047860</id>
	<title>Not a surprise to me.</title>
	<author>Anonymous</author>
	<datestamp>1265450220000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>&gt; Web App Scanners Miss Half of Vulnerabilities</p><p>Well this is no surprise to me. Designing/testing secure systems is much more than scanning for vulnerabilities.</p><p>Scanning is only one of the tool to use to accomplish the goal.</p></htmltext>
<tokenext>&gt; Web App Scanners Miss Half of VulnerabilitiesWell this is no surprise to me .
Designing/testing secure systems is much more than scanning for vulnerabilities.Scanning is only one of the tool to use to accomplish the goal .</tokentext>
<sentencetext>&gt; Web App Scanners Miss Half of VulnerabilitiesWell this is no surprise to me.
Designing/testing secure systems is much more than scanning for vulnerabilities.Scanning is only one of the tool to use to accomplish the goal.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31059384</id>
	<title>Re:Whitehat Security</title>
	<author>yahwotqa</author>
	<datestamp>1265630400000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Its best if you loose you're anger.</p></htmltext>
<tokenext>Its best if you loose you 're anger .</tokentext>
<sentencetext>Its best if you loose you're anger.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31049004</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047966</id>
	<title>Re:Every system is different</title>
	<author>gandhi\_2</author>
	<datestamp>1265451540000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>So we should probably be thankful that "web app scanners catch half of vulnerabilities".</p></htmltext>
<tokenext>So we should probably be thankful that " web app scanners catch half of vulnerabilities " .</tokentext>
<sentencetext>So we should probably be thankful that "web app scanners catch half of vulnerabilities".</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047880</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048096</id>
	<title>Being "compliant" with a standard is meaningless</title>
	<author>Opportunist</author>
	<datestamp>1265452740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>At least when it comes to security. By the time any standard is published and a test suit is assembled, the whole threat scenario has changed by 180 degrees. We're dealing here with an industry that has a half-life period of its knowledge of about 3 months. Not the usual 2-3 years anywhere else in IT.</p><p>Don't be compliant. Either get up to speed with curent security problems or hire someone who does. Standards are worth jack, at least from a security point of view (they're still quite valuable to get contracts from companies who have been BSed into believing in the standards themselves).</p></htmltext>
<tokenext>At least when it comes to security .
By the time any standard is published and a test suit is assembled , the whole threat scenario has changed by 180 degrees .
We 're dealing here with an industry that has a half-life period of its knowledge of about 3 months .
Not the usual 2-3 years anywhere else in IT.Do n't be compliant .
Either get up to speed with curent security problems or hire someone who does .
Standards are worth jack , at least from a security point of view ( they 're still quite valuable to get contracts from companies who have been BSed into believing in the standards themselves ) .</tokentext>
<sentencetext>At least when it comes to security.
By the time any standard is published and a test suit is assembled, the whole threat scenario has changed by 180 degrees.
We're dealing here with an industry that has a half-life period of its knowledge of about 3 months.
Not the usual 2-3 years anywhere else in IT.Don't be compliant.
Either get up to speed with curent security problems or hire someone who does.
Standards are worth jack, at least from a security point of view (they're still quite valuable to get contracts from companies who have been BSed into believing in the standards themselves).</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048970</id>
	<title>and, again, this is only against their own tests</title>
	<author>anton\_kg</author>
	<datestamp>1265461020000</datestamp>
	<modclass>None</modclass>
	<modscore>2</modscore>
	<htmltext>Don't forget these results supposed to be 100\% because their own test application has been scanned.
It means an actual results will be much lower  against a real application.</htmltext>
<tokenext>Do n't forget these results supposed to be 100 \ % because their own test application has been scanned .
It means an actual results will be much lower against a real application .</tokentext>
<sentencetext>Don't forget these results supposed to be 100\% because their own test application has been scanned.
It means an actual results will be much lower  against a real application.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31051954</id>
	<title>one of these PCI scanning companies</title>
	<author>viralMeme</author>
	<datestamp>1265552340000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>&gt; one of these PCI scanning companies asked us to take down our iptables rules for a set time period while they scanned us</p><p>Can you gave examples of companies that scan companies in the manner you describe. My understanding is that to achieve PCI compliance, you fill in a bunch of forms. I mean Heartland Payment Systems were PCI compliance, and look what happened to them.</p></htmltext>
<tokenext>&gt; one of these PCI scanning companies asked us to take down our iptables rules for a set time period while they scanned usCan you gave examples of companies that scan companies in the manner you describe .
My understanding is that to achieve PCI compliance , you fill in a bunch of forms .
I mean Heartland Payment Systems were PCI compliance , and look what happened to them .</tokentext>
<sentencetext>&gt; one of these PCI scanning companies asked us to take down our iptables rules for a set time period while they scanned usCan you gave examples of companies that scan companies in the manner you describe.
My understanding is that to achieve PCI compliance, you fill in a bunch of forms.
I mean Heartland Payment Systems were PCI compliance, and look what happened to them.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048722</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048738</id>
	<title>Isn't security scanning...</title>
	<author>Anonymous</author>
	<datestamp>1265458920000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>... Turing-reducible to the halting problem? That is, the conclusion that they miss half the vulnerabilities should be obvious.</p></htmltext>
<tokenext>... Turing-reducible to the halting problem ?
That is , the conclusion that they miss half the vulnerabilities should be obvious .</tokentext>
<sentencetext>... Turing-reducible to the halting problem?
That is, the conclusion that they miss half the vulnerabilities should be obvious.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31049946</id>
	<title>Re:App scanners don't make you secure</title>
	<author>Anonymous</author>
	<datestamp>1265472480000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Code auditing is quite expensive. If you cut the auditing time by an amount proportional to the costs of the software I am quite sure that is a significant improvement.</p><p>Using automatic tools for analysis is never meant to be a replacement for real analysis. But every issue handled by an automatic analysis tool is an issue you don't have to handle yourself.</p></htmltext>
<tokenext>Code auditing is quite expensive .
If you cut the auditing time by an amount proportional to the costs of the software I am quite sure that is a significant improvement.Using automatic tools for analysis is never meant to be a replacement for real analysis .
But every issue handled by an automatic analysis tool is an issue you do n't have to handle yourself .</tokentext>
<sentencetext>Code auditing is quite expensive.
If you cut the auditing time by an amount proportional to the costs of the software I am quite sure that is a significant improvement.Using automatic tools for analysis is never meant to be a replacement for real analysis.
But every issue handled by an automatic analysis tool is an issue you don't have to handle yourself.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048172</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047988</id>
	<title>Re:Every system is different</title>
	<author>Anonymous</author>
	<datestamp>1265451720000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>&gt; buffer overflows for example</p><p>What do you mean ? The platform we use checks for array/buffer bounds on any access to them. We also use a persistence tool that is pretty good at preventing SQL injections.</p><p>It sure beats scanning on the efficiency level<nobr> <wbr></nobr>;-))</p></htmltext>
<tokenext>&gt; buffer overflows for exampleWhat do you mean ?
The platform we use checks for array/buffer bounds on any access to them .
We also use a persistence tool that is pretty good at preventing SQL injections.It sure beats scanning on the efficiency level ; - ) )</tokentext>
<sentencetext>&gt; buffer overflows for exampleWhat do you mean ?
The platform we use checks for array/buffer bounds on any access to them.
We also use a persistence tool that is pretty good at preventing SQL injections.It sure beats scanning on the efficiency level ;-))</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047880</parent>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_06_1933211_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31049830
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048722
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_06_1933211_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31049946
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048172
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_06_1933211_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047988
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047880
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_06_1933211_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31059384
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31049004
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048026
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_06_1933211_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048292
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048056
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_06_1933211_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31051954
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048722
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_06_1933211_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048166
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047996
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_06_1933211_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048302
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047996
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_06_1933211_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047966
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047880
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_06_1933211_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31050400
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048060
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_06_1933211_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048092
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047996
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_06_1933211_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31049804
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048722
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_06_1933211_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31054832
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048722
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_06_1933211.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048722
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31049830
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31049804
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31054832
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31051954
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_06_1933211.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048056
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048292
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_06_1933211.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047860
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_06_1933211.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048026
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31049004
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31059384
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_06_1933211.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047880
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047988
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047966
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_06_1933211.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31047996
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048092
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048166
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048302
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_06_1933211.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048172
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31049946
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_06_1933211.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048060
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31050400
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_06_1933211.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_06_1933211.31048096
</commentlist>
</conversation>
